Merz: Yes, often. We have enormous strengths: an excellent industry, strong technology companies, big data and excellent engineers. Europe alone produced around 30 zettabytes of data last year, which is a three with 22 zeros.
Instead of primarily talking about risks, we should talk much more about what we can do with them: new AI models, industrial applications, innovations. We have enormous potential in Europe – we just have to start and be bolder.
So your plea is: act pragmatically instead of getting lost in fundamental debates?
Merz: Exactly. Just do it. Manage risks professionally, but still drive innovation. That is the crucial point. We have great technology companies in Europe – not just SAP. We have strong chip manufacturers, excellent research and enormous amounts of data. Actually everything is there. The crucial question is: Why don’t we go out there with much more self-confidence and say clearly where our strengths lie and where we can be a global leader? After all, that’s exactly what other regions do too.
The Americans are not automatically better everywhere – they often simply appear bolder and more offensive. In Europe, we sometimes lack exactly this mindset: to believe more in our own abilities and to drive forward innovations with more self-confidence.
“The topic of sovereign cloud is becoming really big right now”
How scalable is the Sovereign Cloud actually? Many still see this as a niche market.
Merz: We’ve already made the big investments – now it’s time to scale. You can also see this in the customer projects. Of course, we cannot name all customers because many come from highly sensitive areas. But we now have, for example, Diehl in our Sovereign Cloud or the British tax authority HMRC, which processes 800 billion pounds of tax revenue per year. We just announced the partnership with Thales, Hensoldt is already a customer and Lockheed Martin has been live since January.
This shows that the topic is just getting really big.
At the same time, Europe has fallen behind when it comes to AI models such as Large Language Models. Does SAP work with European providers such as Mistral in this regard?
Merz: Yes, absolutely. The partnership with Mistral has already been announced and is currently having an even stronger effect, as are other collaborations. Basically, we work with European, American and other international providers – depending on what our customers need.
Of course, we are also bringing all the technologies that we have announced to the Sovereign Cloud. To do this, we further harden these solutions because we have to meet different security and compliance requirements depending on the country. But technologically speaking, we are absolutely up to date when it comes to partnerships.
There are different levels of digital sovereignty. Some only want BSI-compliant operations, others want maximum isolation. Are there such gradations in SAP offerings too?
Merz: When we talk about “sovereign,” we have a very clear definition for it with four dimensions.
The first is Data Sovereignty: Data and metadata remain in the country or at least in the region.
The second is Operational Sovereignty: Who accesses the data? What nationality are these employees? Many of our teams have appropriate security clearances from government agencies.
The third level is this Technical Sovereignty. This includes, for example, that the control plane – to put it simply, the brain of the cloud – is always operated in the respective country. Added to this is our specially hardened software.
And the fourth dimension is this Legal Sovereignty: We meet the regulatory requirements and safety requirements of the respective country.
Only when all four levels are met do we really speak of Sovereign Cloud.
What do you mean by “hardened software” specifically?
Merz: This is actually one of our big advantages. It all started with the requirements of the US government. There we had to align our software with very strict security and sovereignty requirements.
Then Australia and other countries came along – each with additional requirements. The BSI, in turn, had its own additional requirements. As a result, our platform has become more and more secure step by step.
I like to compare it with a Mercedes G-Class: There is the normal version – and the armored one. We have continually expanded our ‘armour’ over the years. That’s why we can go to new countries today and often say: We already largely meet your requirements.
“Sovereignty does not define SAP alone”
Does that also mean that regulators are closely involved?
Merz: Exactly. Sovereignty does not define SAP alone. We take our concepts directly to the national authorities and security organizations. In France, for example, we coordinate closely with the cybersecurity agency ANSSI.
The authorities look at everything very closely, give feedback, demand adjustments – and in the end a model is created that meets the respective national requirements. This is exactly how digital sovereignty has to work.
To what extent does this approach work in practice? Many companies check very carefully which data and processes really need to be in a sovereign cloud – if only for cost reasons. And some would prefer to stay on-prem.
Merz: In fact, about 50 percent of my conversations end up recommending to customers: stay in the normal public cloud. Not everyone needs a sovereign cloud.
For example, I was talking to a large food manufacturer. At first it was said: ‘We absolutely need Sovereign Cloud.’ But after an hour of discussion it was clear: it was actually about security – not sovereignty. And our public cloud already meets the security requirements at a very high level.
Sovereign Cloud is particularly needed where regulatory or national security requirements apply. The classic example is operators of critical infrastructure or the military with secret or top secret data. Such data cannot simply be placed in a normal public cloud. At the same time, these customers also want to use innovations – and these are now almost exclusively created in the cloud. This is exactly why we developed our Sovereign offers.
Which variants does SAP specifically offer?
Merz: We have different models. On the one hand, SAP Sovereign Cloud on AWS – particularly widespread in the Five Eyes states and increasingly in Europe. Then there are close collaborations with Microsoft, for example around Delos or Azure Government Cloud.
We also operate our own SAP cloud infrastructures. This was a clear customer request: European data centers under SAP control. In Germany we work closely with the BSI here. For example, we will soon receive permission to process data with security level VS-NfD. This is particularly interesting for customers such as the Diehl Group or authorities.
And then there is our latest offer: “SAP On Site”. The name is perhaps a bit unfortunate because it quickly sounds like classic on-prem. But technically it is something different.
“On-Site brings the SAP cloud infrastructure directly to the customer data center”
What exactly is “On Site”?
Merz: We bring our complete SAP cloud infrastructure directly to the customer’s data center. It will continue to be operated by SAP – including cloud technology, security and innovations.
This means that even the highest security levels can be mapped, up to top secret or COSMIC secret requirements. The model is particularly interesting for the military, defense companies, critical infrastructures or ministries.
The big advantage: Customers get the complete stack – infrastructure, platform, applications, AI services – directly on site, but it is still operated as a real cloud model.
That sounds a lot like classic on-premises.
Merz: Yes, you can certainly see it that way. But the difference is crucial: it continues to be operated as a cloud. Customers automatically receive new innovations, AI features and updates – just like in our other cloud offerings.
Ultimately, this is the combination that many are looking for: maximum control and access to modern cloud innovation at the same time.
How about the price? Gartner says that, on average, companies would accept perhaps a 15 percent surcharge for sovereign cloud offerings. Is SAP on this scale?
Merz: Of course, I won’t comment on specific prices in detail. But I would say: This assessment is not that far off the mark.
I like to compare this again with the Mercedes G-Class: the armored version obviously costs more than the standard model. But the difference remains within an understandable framework.
The costs probably also depend heavily on the respective country? Is there a trend in Europe to outsource workloads to other countries for cost reasons – for example to Eastern Europe?
Merz: Interestingly, we experience quite the opposite. Countries along the eastern NATO border are particularly interested in SAP infrastructures in Germany.
There are geostrategic reasons for this. Many people say quite openly: We would prefer to operate sensitive data a little further away from certain geopolitical tension zones. Germany is considered a stable and trustworthy location.
That’s why we’re currently having discussions about how customers can use our SAP data centers in Germany – not the other way around.
An argument in favor of local infrastructure is often the shortage of skilled workers.
Merz: That’s exactly why we rely heavily on international cooperation. Our staff have security clearances, and bilateral government agreements allow experts to be deployed relatively quickly between countries.
If, for example, a country needs specialists at short notice, colleagues from Germany or other locations can provide support – of course in coordination with the respective authorities. These processes have existed for years and work very well.
As a result, we have now built up an enormous international knowledge network. We now offer sovereign cloud solutions in around two dozen countries. This allows us to quickly share experiences and best practices between customers and states.
So a kind of international security community is now emerging around SAP?
Merz: Yes, definitely. For example, we have our own Defense User Group in which military customers exchange information. Many people don’t even know: 23 of the 32 NATO armies use SAP systems.
These customers talk openly with each other about experiences, technologies and challenges. We sit at the table, listen and learn from it too. This helps everyone involved – and accelerates innovation enormously.
